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©CTO and Co-Founder of Packetloop. 
©Pioneering Big Data Security Analytics. 
© Spoken at Black Hat and Ruxcon. 
O http://bitly.com/bundles/packetloop/ 
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We build toys. Some of those toys 

change the world" 

- Nicholas Taleb 



Uncertainty 



O Risk you can't measure. 

O Castles, Casinos, War Zones. 

©Let's get Bayesian (H|E). 

O Industry suffering from overfit. 

©Signatures, limited data, work once 



Exhibit A 



O CVE-201 I -3 1 92 - "Apache Killer" 

O auxiliary/dos/http/apache_range_dos 20 1 I -08- 1 9 
normal Apache Range header DoS (Apache Killer) 

O Snort 1 : 1 9825 

O/Range\s*\x3A\s*bytes=([\d\x2D]+\x2C){50}/Hsmi 

O/Range\s*\x3A\s*bytes=([\d\x2D]+[\x2C\s]*){50}/ 
Hsmi 



Unknown Unknowns. 



There are known knowns; there are things we know that we know, 

There are known unknowns; that is to say, there are things that we now know we don't know. 

But there are also unknown unknowns - there are things we do not know we don't know. 

— United States Secretary of Defense, Donald Rumsfeld 



Source: http://bit.ly/10l3lj p 



Prevention Fails. 



Detection is the key. 



Prevention is the goal. 



The Big Data Promise 



■* 



O Full fidelity, higher accuracy, no aggregation, 
size and scale. 

O Model complexity. 

©Apply real science to the problem. 

©"There are more chess games than the 
number of atoms in the universe" Diego 
Rasskin Gutman 

©Induction and the Turkey Problem. 



Kill Chains 



O Reconnaissance 

O Weaponisation 

O Delivery 

O Exploitation 

O Installation 

©Command Control 

©Actions and Objectives 



APT1 Kill Chain 



O Malware link or executable sent to target, 
(Spearfish or watering hole). 

O Malware executed. 

O Establish Command and Control. 

©Lateral movement through privilege 
escalation. 

©Data Compressed and Exfiltrated. 



Invasion Games 



©Attackers vs Defenders. 

©Attackers looking to stretch, avoid, 
challenge defensive lines to achieve their 
goal. 

©Security is a contact sport. 

©Manipulate Time and Space. 

©Win collisions. 



Invasion Games 



O Detect 
©Deny 
O Disrupt 
O Degrade 



©Dece 



ive 



© Destroy 



Big Data Security Analytics 



©Size and Scale 
© Visualization 
©Fidelity 
©Interaction 
©Outlier Detection 
©Attacker Profiling 
©Enrichment 



©Transfo 



rm 



©Prediction and 
Probability 

©Intelligence sharing 

©Statistical Analysis 

©Feature Extraction 

©Machine Learning 

©Kill Chain Disruption 



Size and Scale 



Network Streams 



©Complete record of all network data. 

©Provides the highest fidelity to analysts. 

©Only way to really understand subtle, 
targeted attacks. 

© Play, pause and rewind your network. 

© No need to have a specific logging setup, 

© Dense feature space. 



"The difficulty shifts from traffic 

collection to traffic analysis. If you can 

store hundreds of gigabytes of traffic 

per day, how do you make sense of it?' 

- Richard Bejtlich 



Map Reduce 
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http://bit.ly/IQ5AYxc 



It's all about Context. 



Context 



O Enriched information, not just IP Addresses. 

©Additional intelligence on attackers. 

©Allow you to perform detective work. 

©What if? Branch analysis and exploring data. 

©Providing full fidelity and full context 
quickly. 



It's really about 
feature space. 



Hindsight is 20/20 



Realtime 



Streaming 
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Real time topology 



Streaming 
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Real time topology 



Anscombe's Quartet 
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Sourcer Wikipedia http://bit.ly/ 1 IQSe5y 



Anscombe's Quartet 
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Source: visual. ly - http://bit.ly/ 1 05BcEI 



Full HD 

Play, Pause, Rewind 



Deep Packet 

Inspection 



Finding Zero Days 



Attacker Information 



File Extraction 



Network 
Stream 



Network 
Stream 



Network 
Stream 



Real Time Data Delivery 



Log Stream 




Bias Collisions 



O Producing information as it arrives in the 



stream. 



O Yaraprocessor 
©Chopshop 

©Enrich as much information as possible. 
©What's the probability of the event? 



ssdeep comparison 
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Machine Learning 

©High dimensional feature space. 
©Models instead of signatures. 
©Classification (class prediction). 

©Operating system detection. 

©Protocol detection. 

© Finding novelty and outliers. 
©Trained models, real time predictions. 



Related ML Work 



©Frank Denis @jedisct 

O Malware vs Big Data 

O Jason Trost @jason_trost and John Munro 

©Large Scale Malicious Domain 
Classification 



Entropy and Covert 

Channels 



Tor in HTTPS 



Tor/HTTPS PCA 
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Meterpreter in HTTP 



Meterpreter (HTTP) 
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Geocoding 



Tor Endpoints 



Torrent Triangulation 



Torrent 



O I M attacks over 1 2 days. 

O 1 7 attackers were also downloading 
torrents. 

©TOR /Torrent are generally mutually 
exclusive. 

©Good entropy on larger files for changing 
IPs. 

©Torrent client + UA + OS Classification 



Really? 



? 



©7 Weeks to 100 Push-Ups: Strengthen and 
Sculpt Your Arms, Abs, C 

O 1000 Photoshop Tips and Tricks (Dec 
20 1 0)-Mantesh 

O Footloose.20 1 I.DVDRip.XviD- PADDO 



Half Life of Data 



O Incredibly valuable just after creation. 

©What is the half life of security data? 

O Need to accommodate post hoc delivery of 
information. 

©Probabilistic models making real time 
decisions. 

©Full fidelity and long histories forTactical, 
Operational and Strategic decisions. 



Source: Nucleus Research - http://bit.ly/IOBRAeZ 



ThisisnotSIEM. 



!SIEM 

O Real time 

O Full Fidelity 

O Explore and explain the data (evidence). 

O Play, Pause and Rewind. 

O Blink and you miss it technology. 

O No aggregation. No parsers. Frictionless 

O Clear intelligence. 

O Decision Making Platform. 



One thing we can 

count on 



Changing Tactics 



©Kill Chains will change. 

©Commit, shift, delay defenders. 

©Commit to triaging an event that is not the 
real event. 

©Shift defenders to locations or targets. 

©Create doubt in defenders to maintain 
stationary. 





Questions? 



@ packet loop 
@packetpig 



